Session Fixation in snipe/snipe-it
Aug 22nd 2022
The session is not invalidated after a password change.
Proof of Concept
Open Snipe-IT in the browser and login. Do the same in a private window such that there are two sessions. Change the password in one of the two sessions and observe that the second session is not invalidated.
An old session can be used even after the password has been changed.